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1. Objective and recommendation 


1.1. The objective of this report is to give the Committee assurance on 
the development of the ICO’s Risk Management Policy. 


2. History and dependencies 


2.1. The Committee has previously agreed that it would receive the 
Risk Management Policy on an annual basis, for assurance. 


Developing a common understanding 


3.1. We review the Risk Management Policy on an annual basis. 
However, for two of every three years this is a “housekeeping” 
review where relatively minor changes are expected, and then the 
third year is the full review. The Risk Management Policy has 
undergone a housekeeping review this year, but is due for a full 
review next year. 


Matters to consider to achieve objective 


4.1. The Risk Management Policy sets out the ICO’s approach to 
managing risks and exploiting opportunities. The minor changes 
which have been made to the Risk Management Policy as part of 
this year’s review are set out in tracked changes at Annex 1. The 
objectives of this policy remain unchanged. In the main, these 
changes simply expand on the existing policy, giving a little more 
information to enhance understanding of the purpose of the policy 
at all levels of the organisation. 


4.2. The Policy is supported by a working-level document, the Risk 
Management Procedure, which sets out exactly how we deliver the 
policy. This document is owned by the Corporate Governance 
Team. 
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4.3. 


4.4. 


6.1. 


7.1. 


The Management Board will be asked to conduct their annual 
review of the ICO’s risk appetite in March 2022. Any updates to 
the risk appetite will then be added into the Risk Management 
Policy. 


We have continued to refine our approach to managing risk 
throughout the organisation over the last year. As well as the 
development of Directorate risk registers and the further 
embedding of the Risk and Governance Board, we have overhauled 
the process for reviewing corporate risks. These risk reviews are 
now scheduled based on the assessment of the risk owner of when 
a review would be most impactful. These reviews are actively 
facilitated by the Corporate Governance Team, and this will 
continue during 2022. The Risk and Business Continuity Manager, 
who will be recruited during early 2022, will lead on this activity. 


Areas for challenge 


Does the policy remain appropriate? Are there any areas for 
further development that the Committee would like to see in future 
iterations? 


Communications considerations 
There are no communications considerations to this report. 
Next steps 


The next steps for this work are: 


e Complete the review of the ICO’s risk appetite at Management 
Board in March 2022. 


e Communicate any changes to risk appetite areas internally. 


e Conduct the full review of our risk management policy to bring 
to the Audit and Risk Committee in January 2023. 


Author: Chris Braithwaite 


Consultees: Joanne Butler, Louise Byers 


List of Annexes: Annex 1 - Risk Management Policy 


Publication decision: This report can be published internally and 
externally without redactions. 


Outcome reached: 
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